CVE-2025-10168: 
WordPress vulnerability analysis and mitigation

The Any News Ticker plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-10168) discovered in versions up to and including 3.1.1. The vulnerability was disclosed on September 29, 2025, and published in the CVE database on September 30, 2025. The plugin was subsequently closed on September 26, 2025, pending a full security review (NVD Database, WordPress Plugin).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's 'any-ticker' shortcode. The severity is rated as Medium with a CVSS v3.1 base score of 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD Database, Wordfence Report).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user interactions (NVD Database).

The plugin has been temporarily closed and removed from the WordPress plugin repository as of September 26, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).